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ABSTRACT 


In  t-h-i  q paper,  we  propose  a computer  security  index  Cor  measuring 
the  security  of  computer  systems  and  a strategy  for  purchasing  computer 
security  countermeasures  in  a cost  effective  manner.  Required  inputs 
for  the  model  include  definition  of  threats  and  countermeasures,  relative 
importance  of  threats,  costs  of  countermeasures , and  the  effectiveness 
of  each  countermeasure  against  each  of  the  threats  listed.  If  a standard*- 
ized  list  of  threats  and  countermeasures  can  be  developed,  the  computer 
security  ind^-x  could  also  be  used  to  compare  the  security  of  different 
computer  systems. 
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sstions  to  be  Addressed 


In  this  paper,  we  provide  answers  Co  questions  such  as  those 
listed  below  provided  that  the  inputs  listed  below  are  given. 

Question  1:  We  are  making  a one-time  purchase  of  countermeasures 
for  a particular  computer  system.  For  a fixed  budget 
allocation,  which  set  of  countermeasures  yields  the 
most  security  per  dollar? 

Question  2:  We  will  be  purchasing  countermeasures  over  an  extended 
period  of  time.  Which  countermeasures  should  we  buy 
now  and  which  countermeasures  should  be  purchased  later? 

Inputs  required  for  Questions  1 and  2: 

a.  Definition  of  threats  and  countermeasures 

b.  Relative  importance  of  threats 

c.  Costs  of  countermeasures 


d.  Effectiveness  of  each  countermeasure  against  each  threat 


listed. 


Question  3:  We  are  considering  two  computer  systems.  Which  sys- 
tem is  the  most  secure? 

Inputs  required  for  Question  3: 

Inputs  a,  b,  c,  and  d above  with  the  added  provision  that  there 
Is  a standard  list  of  threats  and  countermeasures  for  the  two  systems. 

There  are  ocher  questions  which  could  be  answered  by  the  model  and 
the  accompanying  computer  program.  These  questions  would  generally  be 
different  versions,  or  rearrangements,  of  the  above  questions.  Two 
such  sample  questions  might  be: 
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Question  4:  We  have  several  countermeasure  packages  which  we 

can  purchase  on  an  all  or  none  basis.  Which  package 
is  the  most  secure? 

Question  5:  We  have  already  selected  several  sequences  for  pur- 
chasing countermeasures  and  plan  to  Implement  one 
of  them.  Which  sequence  is  best  from  a security 
standpoint? 

As  with  Questions  1 and  2,  the  inputs  required  to  answer  Questions 
4 and  5 are  inputs  a,  b,  c,  and  d above. 

Given  the  flexibility  of  the  model  and  the  accompanying  computer 
program,  one  might  be  able  to  answer  other  questions  relating  to  the 
security  of  computer  systems,  or  for  that  matter,  be  able  to  answer  ques- 
tions relating  to  the  security  of  other  systems  which  are  not  computer 
systems. 


3.  Discussion  of  the  Methodology 

In  this  section,  we  shall  discuss  (1)  the  model  we  have 
developed  - applicable  to  all  five  questions  above;  (2)  the  measure 
of  computer  security  we  have  developed  - called  the  computer  security 
index  - applicable  to  all  five  questions  above,  but  particularly  appli- 
cable to  Questions  3,  4 and  5;  and  (3)  the  algorithms  we  have  developed 
(applicable  to  Questions  1 and  2 above). 


3.1.  The  Model 


We  have  che  following  situation.  An  adversary  has  certain 
objectives  in  attacking  a computer,  e.g. , denying  use  by  an  authorized 
user,  obtaining  access  to  classified  or  privileged  information,  etc.  We 
label  these,  say  K objectives,  0^,  Oj,  . .,  Or,  and  assign  them  relative 
weights  w-j_ , , . . .,  v^.  To  achieve  these  objectives,  the  adversary 

can  utilize  any  of  certain  threats,  say  threats  T^,  Tj^,  . . .,  T^j^ 

for  objective  0^,  k =»  1,  2,  . . . , K.  It  is  quite  possible  chat  the 
same  threat  could  achieve  two  or  more  different  objectives.  For  our 
purposes,  we  would  list  the  threat  twice,  calling  it,  say  T^.2  ?24* 

if  it  were  che  second  threat  listed  to  achieve  objective  0^  and  the  fourth 
threat  listed  to  achieve  objective  02<  We  also  have  some  countermeasure 
set  CM^ , CM2 » • • • » C^n  which  helps  prevent  the  adversary  from  carrying 
out  the  threats  to  achieve  his  objectives.  We  know  the  cost  of  the  counter- 
measures and  we  have  a measure  of  effectiveness  of  each  countermeasure  CM- 
against  each  threat  Ty-;  in  achieving  objective  0^  - calling  this  measure 
of  effectiveness  ^ . This  measure  of  effectiveness  represents, 

mathematically,  the  probability  of  countermeasure  CMj  stopping  threat  T^ 
against  objective  Ofc.  Dlagrammatlcally  we  have  the  situation  depicted  in 
Figure  1 (page  7) . 

The  case  where  there  is  a one-to-one  correspondence  between  threats 
and  objectives,  that  is,  where  1^  ■ Ij  ■ . • . • Ij,  ■ 1,  will  be  called 
the  simplified  model.  And  the  case  where  there  is  a many- to— one  correspon- 
dence  between  threats  and  objectives,  that  is,  where  some  1^  t 1,  k ■ 1, 

2,  . . . , K,  will  be  called  the  generalized  model. 
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3.2.  The  Computer  Security  Index 

We  propose  che  following  computer  security  index  U'  for  the  full 


countermeasure  set  (CMi,  CM2,  • • •»  CMq) • 

“'■Ji  [1  -jHi  (1-cfcLj)l 

Let  us  examine  this  function: 

Cjcij : represents  probability  that  countermeasure  CMj  stops  threat 
Tijj.  against  objective  0^. 

■ (1-Cj^j):  represents  probability  that  countermeasure  CMj 
does  not  stop  threat  against  objective  0^. 

(Continued  on  next  page.) 
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- I (cklj  ) : represents  probability  that  threat  is  not 

stopped  against  objective  0^  _ 

C^.  » 1 - CV1 . : represents  probability  that  threat  against 
objective  Ofc  is  stopped. 

Ci,..  ■ il  CV4  . - represents  probability  that  all  threats  against 
i-1  ki 

objective  0^  are  stopped,  i.e.,  probability  that  objective  0^  is  protected. 

Recalling  that  w^  represents  the  relative  weight  of  objective  k,  U'  then 
K 

equals  £ Ck... 

k-1 

At  this  point,  several  observations  may  be  made.  First,  we  have 

that  0 _<  U'  _<  1,  if  we  replace  w^  by  » ^k  . So  call  this  new  index 

K 

£ -W5 
t-1 

U where  we  replace  w^  by  W^.  in  the  definition  of  O' . Second,  we  have 
Ck..  S for  all  i-1,  2,  ....  Ik.  this  is  a "weakest  link"  type 

property  - that  is,  the  probability  of  protecting  an  objective  is  no  higher 
than  the  lowest  probability  of  stopping  any  particular  threat  against 
that  objective.  In  particular,  this  means  that  if  we  have  zero  probability 
of  stopping  threat  against  objective  0^,  we  have  zero  probability  of 
protecting  objective  0^.  This  all  3eems  reasonable  since  any  adversary 
would  certainly  choose  a threat  with  the  least  resistance  to  achieve  an 
objective. 

If  we  had  something  less  than  a full  countermeasure  set,  the  computer 
security  index  would  be: 

K Ife  n *4 

u - e w-n  ti  - n a - <:„*)  J] 

k-i  i-i  j-i  2 

where  Xj  - 1 if  countermeasure  CMj  is  included  in  set 

0 if  countermeasure  CMj  is  not  Included  in  set 


3.3.  The  Algorithms 


We  can  represent  the  countermeasure  set  being  used  by  an  n-long 
binary  vector 

Y * (^1 » *2 ’ • • * » 

where:  Xj«  1 if  countermeasure  CMj  is  included  in  set  Y 

0 If  countermeasure  CMj  is  not  included  in  sec  Y 
So,  for  n * 5,  the  vector  Y ■ (10110)  means  countermeasures  CM^, 

CM3,  an<^*(-^4  43:6  included  in  the  countermeasure  set  and  CM2  and  CM3 
are  not  included.  There  are  of  course  2n  possible  countermeasure  sets. 

Our  goal  is  to  develop  a particular  sequence  of  countermeasure  sets 
Yj_,  Y2,  ....  Yn  that  is  in  some  sense  cost  effective,  where  Y^_  and  Yi+^ 
differ  only  in  that  one  position  in  the  vector  has  a zero  in  Y^_  and  a 
one  in  . For  example,  if 

Y±  - (0  1 1 1 0 1) 

the  only  candidates  for  Yi+^  are 

Yi+i  - (1  1 1 1 0 1) 

and 

Yi+i  - (011111). 

So  we  3tart  with  an  empty  countermeasure  set  and  add  one  countermeasure 
at  a time,  in  some  cost  effective  manner  until  we  have  a full  countermeasure 
set. 

For  each  countermeasure  set  Y^,  we  have  an  associated  computer  security 

n 

index  and  an  associated  cost  ■ Z D,  x^  where  is  the  cost  of 

j-1  J J 2 

countermeasure  CM j . We  could  plot  vs.  E^  and  for  a budget  E^,  we  choose 
countermeasure  set  Y^.  If  we  get  an  additional  amount  of  money  - E^, 

we  use  countermeasure  set  Y^^ , obtained  by  adding  one  countermeasure  to 
countermeasure  set  Y^. 


Lee  us  now  consider  several  algorithms  for  developing  the  sequence 
of  countermeasure  sets  to  be  purchased.  For  notations!  purposes,  let 


u| , 1*1,  2,  ...,  n,  j e (1,2,..., a)  be  the  computer  security  index 
for  countermeasure  set  Y^+j_  obtained  by  adding  countermeasure  CMj  to 
countermesure  set  Y^.  We  start  with  Yq  » (0,  0,  ...,  0). 

In  our  first  algorithm  Gl,  we  choose  countermeasure  CMj  which 

>1 


maximizes  U^  • That  is,  we  choose  countermeasure  CMj  which  maintains 


E1  + Dj 


che  highest  security  to  cost  ratio.  After  choosing  countermeasure  CMj , 


we  have  + Dj  , and  U^+^  ■ U^. 

In  another  algorithm,  call  it  G2,  we  choose  countermeasure  CMj  which 


maximizes  - U^.  That  is,  we  choose  countermeasure  CMj  which  gives  the 


most  increase  in  security  per  dollar.  After  choosing  countermeasure  CMj 


we  have  and  E^+^  » Ei  + Dj 


rk-  1 


The  above  algorithms  are  workable  in  the  case  I^  ■ I2  ■ ... 
which  is  the  case  where  there  is  a 1-1  correspondence  between  threats 
and  objectives.  In  the  more  general  case,  however,  where  there  is  a 
many-to-one  correspondence  between  threats  and  objectives,  (i.e.,  some 
Iv  + 1,  k » 1,  2,  . . . , K) , we  may  run  into  immediate  trouble  if  we  try 


to  use  algorithms  Gl  or  G2  since  it  is  quite  possible  that  » Ui  for  all 


j - 1,  2,  ...,  n.  In  such  a case,  we  could  not  determine  which  counter- 
measure would  be  best  to  add.*  To  counter  this  effect,  we  propose  a sort 
of  "reverse  G2"  which  we  will  label  G2.  Under  this  algorithm  we  start 
with  a full  countermeasure  set  Yn  » (1,  1 1)  and  delete  counter- 

measures so  that  the  decrease  in  security  index  per  dollar  is  minimized. 


*Algorithm  Gl  would  add  the  least  costly  countermeasure  regardless  of  its 
impact  on  security.  Algorithm  G2  would  arbitrarily  add  the  countermeasures 
in  numerical  sequence.  Neither  method  is  very  desirable. 


1 1 


J 


That  is/  if  w lat  represent  the  index  for  countermeasure  sat 
obtained  by  deleting  countermeasure  CM..  from  countermeasure  set  Y^ , we 
delete  countermeasure  CM^  such  that  0^  - 0^  is  minimized.  After  deleting 

-j  °i 

c oun ter ema sura  CM^ , we  have  “ 0?  and  - 0 ^ . This  gives 

us  a sequence  of  countermeasure  sets  Y , Y , Y,  which  is  the 

n n- 1/  « • • / x 

reverse  of  the  sequence  we  desire. 

(continued  on  next  page) 


We  could  also  perform  a "reverse  Gl",  call  lc  Gl,  where  we  delete 
countermeasure  CM^  such  that  is  maximized  at  each  step.  That  is. 


at  each  step,  we  delete  a countermeasure  so  as  to  maintain  the  highest 
security  to  cost  ratio  possible. 

In  Section  5 we  will  examine  the  performance  of  the  four  algorithms 
for  sample  sets  of  data.  In  general,  we  recommend  applying  all  appllca'* 
ble  algorithms  and  choosing  the  one  which  gives  the  best  results  for  the 
questions  being  addressed. 

We  should  note  in  passing  that  none  of  the  algorithms  proposed  above 
guarantee  an  optimal  solution.  Determining  the  optimal  solution  would 
require  that  all  n!  possible  sequences  or  all  2Q  possible  countermeasure 
sets  be  examined  - a task  which  could  easily  become  prohibitive. 
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. Toy  Problem  (with  Sample  Calculations) 


To  illustrate  the  calculations  required  for  the  computer  security 
index  and  the  algorithms,  let  us  consider  the  following  toy  problem. 
Suppose  we  have  three  objectives  (encompassing  five  threats)  with  the 
relative  and  normalized  weights  listed  below. 


Objective 

Threats 

Relative  Weight 

Normalized  Weight 

0l 

T11 

3 

.200 

T12 

°2 

T21 

5 

.333 

°3 

T31 

7 

.467 

T32 

(Since  there  is  a 5 to  3 correspondence  between  threats  and  objectives 
this  is  an  example  of  the  generalized  model.) 

Assume  we  have  five  countermeasures  with  the  following  costs: 

Countermeasure  Cost 

CM1  10 

cm2  10 

CMj  5 

“4  3 

CMS  1 

Our  countermeasure  effectiveness  matrix,  representing  the  probability 
ckij  of  countermeasure  CMj  blocking  threat  T^  against  objective  0^  is 
assumed  to  be: 


U 


Count ermeasur es 


CMl  CMj  CM, 


cm4  cm5 


(The  computer  program  input  file  for  this  toy  program  is  found  in 
Appendix  II,  Table  II-l.) 

Let  us  now  execute  algorithm  G2  making  use  of  the  notation  of 
Section  3.  We  must  first  calculate  the  computer  security  index  for 
the  full  countermeasure  set.  The  numbers  of  threats  in  each  objective 
are  1^  « 2,  Ij  ■ 1,  and  1^  ■ 2,  and  the  only  non-zero  Cj^j  are: 


114  * -6 

C122  “ *9 

C213  * '5 

115  " *9 

C124  * *6 

C3U  “ *8 

Other  quantities  and  their  values  follow: 

C^  . ■ Probability  that  threat  T^  is  not  stopped  against 
objective  0^. 

Cu.«  (1  - .6)  (1  - .9)  - .04 

C12.»  (1  - .9)  (1  - .6)  - .04 

C21*"  & ~ * *5 

C31.-  (1  - .8)  - .2 

C32.«  (1  - .7)  - .3 

C^..  ■ Probability  that  all  threats  against  objective  0^  are 

stopped 


15 
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Ci..  - (.96)  (.96)  - .922 


C3..  - (.8)  (.7)  - .56 

The  computer  security  index  of  the  5 countermeasures  then 

equals 

U5  - (.2)  (.922)  + (.333)  (.5)  + (.467)  (.56)  - .6 12 
We  represent  the  full  countermeasure  set  by  Y5  * (11111) 
and  its  cost  by  E5  » 29. 

To  continue  with  iteration  1 of  the  algorithm,  we  must  calcu- 
late 0^  and  F^f  j ■ 1,2, 3, 4, 5 for  i ■ 5 where  0^  is  the  index  if  counter- 
measure CMj  is  deleted  from  countermeasure  set  7^  and  F^  is  the  factor 
we  are  trying  to  minimize.  For  algorithm  G2,  F^  ■ where  Dj  is 

Dj 

the  cost  of  countermeasure  Qij  and  is  the  index  of  countermeasure  set 
T^.  Some  of  the  detailed  calculations  for  the  first  iteration  are  shown 


below. 


Delete  CMj_ 


qj..  - .04  CL..  - (.96)  (.96)  - .922 
Ci2*  * *04 

C*21*  " -5  C2..  - .5 

Cr31.  - 1.0  C3..  - (0)  (.7)  - 0 

ffj2.  " .3 

TlJ  - (.2)  (.922)  + (.333)  (.5)  + (.467)  (0)  - .351 
F|  - -612-  .331  . ,026 


Delete  CM^ 


r ■ 
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Delete 


C12.  ■ .04 


u|  - (.2)  (.922)  + (.333)  (0)  + (.467)  (.56)  « .446 
i -612  ; -t46  - .033 
Delete  CH, 


Cu_  - (1.0)  (.1)  - .1 

C12.  - ( .1)  (1.0)  - .1 

*“21.  " *5 
C31.  " -2 


(.9)  (.9)  - .81 


U*  - (.2)  (.81)  + (.333)  (.5)  + (.467)  (.56)  - .590 
- .612  - .590  _ _ 


Delete  CMe 


CU.  - (.4)  (1.0)  - .4  C^.  - (.6)  (.96)  - .576 


■ .56 


C32.  - -3 


U3  - (.2)  (.576)  + (.333)  (.5)  + (.467)  (.56)  - .543 


p5  “ .612  - .543  „ 


Since  Fg  is  the  minimum  of  F^,  j * 1,2, 3, 4, 5,  we  delete  counter- 
measure CM^  fielding  countermeasure  set  * (11101)  with  an  index 
of  O4  - .590  at  a cost  of  * 26. 

Some  detailed  calculations  for  the  second  iteration  follow: 

Delete  CM^  (CM^  already  deleted) 


cn*  * •1 

Ci.. 

- (.9)  (.9) 

*L2*  “ -1 

C2i.  - -5 

C2>  * 

■ .5 

C31-  * 1*° 

c3.. 

- (0)  (.7) 

C32.  " *3 

uj  - (.2)  (.81)  + (.333)  (.5)  + (.467)  (0)  - .329 

Ff  - .590  - .329 
4 jg - .026  # 

Delete  CM2  (CM^  already  deleted) 


C7 I.  “ .1 


(.9)  (0)  - 0 


C^.  - .2  C3..  - (.8)  (0)  - 0 

C32*  " l‘° 

uj  - (.2)  (0)  + (.333)  (.5)  + (.467)  (0)  - .167 
F?  - .590  - .167 

4 Id * *043 

Delete  CMg  (CM4  already  deleted) 

Cn.  - .1  Ci..  - (.9)  (.9)  - .81 


C21.  ■ 1.0 
C3i.  - .2 


- 0 

• . 56 


U|  - (.2)(.81)  * (.333)  (0  ) + (.467)  (.56)  - .424 

- .590  - .424  7033 
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Delate  CM^  (CM^  already  delated) 


Cu- - 1*° 

®1 2*  " -1 

C21.  - .5 

C31*  " *2 
C32.  - .3 

0^  - (.2)  (0)  + (.333)  (.5)  + (.467)  (.56)  - .428 


CL..  - JO)  ( *9)  0 


C2..  - .5 

C 3 . . * .56  • 


PT  - .590  - .428 
4 ■ ' — 


.162 


Since  F . is  the  minimum  of 


Fw  j - 1,2, 3, 5,  we  delete  counter- 


measure CM^  yielding  countermeasure  set  m (0  110  1)  with  an  index 
of  03  • .329  at  a cost  of  S3  * 16. 

Subsequent  iterations  delete  countermeasures  2,5,  and  3 yielding 
the  desired  sequence  (under  G2)  of  3, 5, 2, 1,4  with  respective  indices 
of  (.167,  .167,  .329,  .590,  .612). 

The  actual  computer  output  for  this  toy  problem  is  found  in 
Appendix  II,  Table  II-2.  (Minor  deviations  in  the  figures  above  and 
the  figures  shown  in  the  output  are  due  to  round-off  errors.) 
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5.1  Generalized  Model  Example  (Many  Co  one  correspondence  between 
threacs  and  objectives). 

For  purposes  of  illustration,  we  have  considered  a hypothetical 
data  base  retrieval  system.  We  have  assumed  our  adversary  to  have 
four  objectives  in  mind:  Objectives  0^,  C^,  0^,  0^.  (For  purposes 
of  this  illustration,  we  have  not  clearly  defined  these  objectives.) 

We  have  arbitrarily  given  these  objectives  relative  weights  of  8,  7, 

5,  and  3 yielding  normalized  weights  of  8/23,  7/23,  5/23,  and  3/23. 

In  Table  1,  we  have  listed  twenty  threats  against  the  system  and 
denoted  which  of  the  objectives  each  of  the  threats  accomplish.  (The 
same  threat  could  have  appeared  for  more  than  one  objective  - although 
in  this  example,  they  do  not.)  In  Table  2,  we  have  .listed  19  counter- 
measures at  our  disposal  along  with  the  costs  of  the  countermeasures. 

Table  3 contains  hypothetical  effectiveness  of  each  of  the  counter- 
measures against  each  of  the  threats  (i.e.,  the  probability  that  each 
countermeasure  blocks  each  threat) . 

We  applied  algorithms  G1  and  G2  to  the  above  inputs  (Tables  1,  2,  3) 

i 

to  determine  the  sequence  of  countermeasures  to  be  purchased  under  each 
algorithm. 

To  answer  question  2,  using  algorithm  Gl,  we  would  purchase  the 
countermeasures  in  the  order  shown  in  Table  4-1,  and  to  answer  question 
2 using  algorithm  G2  we  would  purchase  the  countermeasures  in  the  order 
shown  in  Table  4-2. 

To  answer  question  1,  we  would  choose  the  algorithm  and  the  cor- 
responding countermeasure  set  which  gives  the  highest  security  index. 

For  example,  if  our  budget  were  $45K,  we  would  use  algorithm  Gl,  yielding 
an  index  of  .243,  using  countermeasures  7,  8,  17,  1,  19,  and  13  (since 


22 


TABLE  1 


OBJECTIVES  AND  THREATS 
(Generalized  Model  Example) 

OBJECTIVE  1 Relative  weight:  8;  Normalized  weight:  8/23 

Threats:  1 Uncleared  user  qualifies  on  a classified  accession  number 

2 Cleared  user's  terminal  displays  classified  abstracts  that 
are  not  related  to  his  work 

3 Inadvertent  writing  in  the  direct  files  or  into  the  pointer 
table 

4 Uncleared  user  modifies  terminal  to  transmit  the  terminal 
identification  of  a cleared  site 

OBJECTIVE  2 Relative  weight:  7;  Normalized  weight:  7/23 

Threats  5 User  enters  illegal  strategy  for  search 

Uncleared  terminal  user  falsifies  identity  by  entering  the 
lentification  of  a cleared  terminal 

7 User  enters  an  executive  statement  to  perform  a function 

8 Unclassified  terminal  displays  a classified  document  when  user 
guesses  or  knows  the  accession  number 

9 Information  received  from  a remote  terminal  is  used  as  an 
instruction  Instead  of  data 

10  Uncleared  user  accesses  the  direct  file  that  contains  classi- 
fied abstracts 

11  The  check  of  the  restored  data  bank  for  accuracy  fails 

12  Batch  program  affects  the  data  transfer  operation 
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OBJECTIVE  3 Relative  weight:  5;  Normalized  weight:  5/23 
Threats:  13  Classified  abstracts  are  printed  at  the  central  site 

14  Illegal  command  sequences  to  the  system 

15  Selected  users  enter  data  to  be  included  in  the  data 
bases 

16  Incorrect  direct  file  pointer 

17  Residual  information  in  I/O  buffers  are  displayed  to  a ter- 
minal user 

18  Wrong  data  bank  restored  from  mass  storage 
OBJECTIVE  4 Relative  weight:  3;  Normalized  weight:  3/23 
Threats:  19  Input  buffer  overflow  condition 

20  Output  buffer  overflow  condition 


TABLE  2 

COUNTERMEASURES 


No. 

1 Strict  formatted  entries 

2 Identification  from  the  remote  terminal  must  match  the 
code  application  program  expects  to  receive  from  that  site 

3 Dedicated  phone  line/dedlcat'ed  I/O 

4 Additional  logic  within  each  terminal  which  places  terminal 
identification  code  to  each  message  it  transmits 

5 Input  from  a terminal,  is  interpreted  by  the  retrieval 
program 

6 Prior  to  release  of  data,  user's  classification  field 
must  be  verified 

7 Add  logic  to  check  classification  indicator  in  the 
Direct  File  pointer 

8 Require  authorization  prior  to  transmittal  of  classified  data 

9 Data  base  access  accomplished  while  off-line 

10  Staff  verifies  that  the  user  is  allowed  to  receive  the 
abstract  prior  to  release 

11  Check  fields  on  document 

12  Separate  data  bases  - one  classified  and  one  unclassified 

13  The  accession  number  of  the  core  must  match  the  requested 
accession  number 

14  Direct  file  is  referenced  only  by  the  worker  segments  of  the 
retrieval  program  (without  attempt  to  access) 

15  File  access  table  must  deny  the  assignment  of  a classified 
file  to  an  uncleared  user 


Cost 

5,000 

5.000 

1.000 

20,000 

8,000 

6,000 

1,000 

15,000 

300 

300 

5.000 

3.000 

1.000 

4,000 

4,000 


I 
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No ■ C08t 

16  Overwrite  the  output  buffer  and  terminate  transmission  using  3,000 

an  and-o£- transmission  character  check 

17  Requests  must  be  made  through  the  executive  program  and  all  13,000 

checks  are  made  by  the  executive  program 

13  Compare  identifier  of  current  user  ta  the  identification  code  3,000 

In  the  restored  data  bank 

19  Polled  mode  6,000 


TABLE  4-1 


Iteration 


Algorithm  G1  (Generalized  Model  Evample) 


Add 


Index 


Cost  ($K) 


i 

CM  No. 

Ui 

*i 

1 

7* 

.0 

- 

2 

8* 

.0 

- 

3 

17* 

.0 

- 

4 

1* 

.142 

36.0 

5 

19 

.226 

42.0 

6 

13 

.243 

43.3 

7 

9** 

.243 

- 

8 

18** 

.243 

- 

9 

16** 

.271 

49.3 

10 

12 

.308 

52.3 

11 

2 

.356 

57.3 

12 

5 

.425 

65.3 

13 

10 

.438 

65.6 

14 

3 

.449 

66.6 

15 

14 

.479 

70.6 

16 

11 

.495 

75.6 

17 

15 

.500 

79.6 

18 

6 

.501 

85.6 

19 

4 

.504 

105.6 

*Add  in  any  order 

**Add  in  any  order 
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* Add  in  any  order 

**Add  in  any  order 


Algorithm  G2 

TABLE  4-2 

(Generalized  Model  Example) 

•ration 

Add 

Index 

Cost 

i 

CM  No. 

Ui 

El 

1 

19 

.083 

6.0 

2 

18* 

.083 

- 

3 

16* 

.083 

- 

4 

13* 

.083 

- 

5 

10* 

.083 

- 

6 

9* 

.083 

- 

7 

1* 

.120 

18.6 

8 

12** 

.120 

- 

9 

7** 

.120 

- 

10 

3** 

.120 

- 

11 

17** 

.157 

38.6 

12 

8 

.332 

53.6 

13 

5 

.409 

61.6 

14 

2 

.449 

66.6 

15 

14 

.479 

70.6 

16 

11 

.495 

75.6 

17 

15 

.500 

79.6 

18 

4 

.503 

99.6 

19 

6 

.504 

105.6 
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for  S45K,  algorithm  G2  yields  an  index  of  only  .157).  If  our  budget 
were  $54K,  we  would  use  algorithm  G2  yielding  an  index  of  .332  using 
countermeasures  19,  13,  16,  13,  10,  9,  1,  12,  7,  3,  17  and  3 (since 
for  $54K,  algorithm  G1  yields  an  index  of  only  .303).  Of  course, 
trade-offs  between  security  Index  and  countermeasure  sets  could  also 
be  considered.  For  example,  a system  may  have  roughly  the  same 
security  index  with  two  different  countermeasure  sets  which  cost 
roughly  the  same.  7et  one  countermeasure  set  may  be  smaller , or  more 
easily  implemented,  or  more  desirable  than  the  other  even  though  it 
might  have  a lower  index.  In  such  a case,  we  might  still  choose  the 
countermeasure  set  with  the  lower  index. 

A graphical  comparison  of  the  two  algorithms  is  contained  in 
Figure  2 (page  31).  We  see  that  up  to  $36K,  G2  is  superior.  From 
$36K  to  $52. 3K,  G1  performed  better.  From  $52. 3K  to  $66. 6K,  G1  and 
G2  alternated  and  above  $66. 6K,  they  were  nearly  identical.  It  is 
interesting  to  note  that  under  algorithm  G2,  all  threats  have  at  least 
some  coverage  (i.e.,  nonzero  probability  of  being  blocked)  for  a 
lower  expenditure  than  under  algorithm  Gl. 

A sample  input  file  for  this  example  is  contained  in  Appendix  III 
in  Table  III-l.  The  first  entry  in  the  file  is  the  algorithm  chosen 
(G13AR  or  G2BAR) . (All  other  input  entries  are  defined  in  the  file.) 
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5.2  Simplified  Model  Example  (One-to-one  correspondence  between 
threats  and  countermeasures ) 

As  another  illustration,  let  us  consider  the  simplified  model 
where  there  is  a one-to-one  correspondence  between  threats  and  objec- 
tives. In  this  case,  we  must  denote  a relative  weight  of  each  threat 
which  we  have  done  in  Table  5.  The  cost  of  the  countermeasures  and 
the  countermeasure  effectiveness  matrix  is  assumed  to  be  the  same  as 
in  the  previous  example  (Table  2 and  3). 

Tables  6-1  through  6-4  contain  the  sequences  in  which  counter- 
measures should  be  added  for  algorithms  Gl,  G2,  G1  and  G2,  respectively. 
As  in  the  case  of  the  generalized  model,  we  make  use  of  these  tables 
to  determine  the  sequence  in  which  countermeasures  should  be  purchased 
to  answer  question  2,  and  the  countermeasure  set  which  should  be  used 
to  answer  question  1. 

For  our  sample  data,  algorithms  Gl  and  Gl  were  found  Co  be  identical 
and  algorithms  G2  and  G2  were  nearly  Identical.  Algorithms  G2  and  G2 
clearly  outperformed  algorithms  Gl  and  Gl  for  expenditures  beyond 
$26. 6K.  Because  of  this  we  would  probably  choose  algorithm  G2  or  G2 
to  answer  question  2.  For  the  same  reason,  we  would  probably  choose 
algorithms  Gl  or  Gl  to  answer  question  1 for  cost  constraints  less 
than  $26. 6K  and  choose  algorithms  G2  or  G2  to  answer  question  1 for 
cost  constraints  more  than  $26. 6K. 

As  occurred  in  the  previous  case,  it  may  be  observed  chat  all 
threats  had  at  least  some  coverage  under  algorithms  G2  and  G2  (i.e., 
nonzero  probability  of  being  blocked)  for  a lower  expenditure  chan 
under  algorithms  Gl  or  Gl. 


32 
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TABLE  5 
THREATS 

(Simplified  Model  Example) 

Threat  No.*’  Relative  Weight  Normalized  Weight 

1 8 8/124 


3 

8 

VV 

4 

8 

It 

5 

7 

7/124 

6 

7 

If 

7 

7 

ft 

8 

7 

If 

9 

7 

ft 

10 

7 

ft 

11 

7 

If 

12 

7 

It 

13 

5 

5/124 

14 

5 

If 

15 

5 

If 

16 

5 

If 

17 

5 

It 

18 

5 

If 

19 

3 

3/124 

20 

3 

It 

^Threat  description  same  as  in  Table  1 
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TABLE  6-2 
ALGORITHM  G2 

(Simplified  Model  Example) 

Iteration  Add  Index  Coat  ($K) 


i 

CM  No. 

*i 

Ei 

1 

9 

.065 

.3 

2 

7 

.161 

1.3 

3 

13 

.230 

2.3 

4 

3 

.274 

3.3 

5 

1 

.470 

8.3 

6 

10 

.477 

3.6 

7 

16 

.509 

11.6 

8 

17 

.651 

26.6 

9 

12 

.676 

29.6 

10 

18 

.700 

32.6 

11 

19 

.739 

38.6 

12 

5 

.787 

46.6 

13 

8 

.845 

61.6 

14 

14 

.858 

65.6 

15 

2 

.873 

70.6 

16 

11 

.879 

75.6 

17 

15 

.881 

79.6 

18 

4 

.882 

99.6 

19 

6 

.883 

105.6 
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TABLE  6-4 
ALGORITHM  G2 

(Simplified  Model  Example) 


Iteration 


Add 


Index 


Coat  ($K) 


1 

CM  No. 

01 

El 

1 

9 

.065 

.3 

2 

7 

.161 

1.3 

3 

13 

.229 

2.3 

4 

1 

.448 

7.3 

5 

3 

.470 

8.3 

6 

10 

.476 

8.6 

7 

16 

.509 

11.6 

8 

17 

.651 

26.6 

9 

12 

.676 

29.6 

10 

18 

.7Q0 

32.6 

11 

19 

.739 

38.6 

12 

5 

.787 

46.6 

13 

8 

.845 

61.6 

14 

14 

.858 

65.6 

15 

2 

.873 

70.6 

16 

11 

.879 

75.6 

17 

15 

.881 

79.6 

18 

4 

.882 

99.6 

19 

6 

.883 

105.6 
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A graphical  comparison  of  the  four  algorithms  is  contained  in 


Figure  3 (page  39).  A sample  input  file  for  the  example  is  con- 
tained in  Appendix  III,  Table  III- 2. 
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FIGORE  3 


Simplified  Model  Example 


Algorithms  SI  or  ST 
Algorithm  S2 

Difference  between 
Algorithms  G2  and  G2 


5.3  Some  Comments 


Whether  the  results  we  have  observed  In  Figures  2 and  3 for 
our  hypothetical  examples  hold  true  in  general  has  not  been  studied 
in  this  effort.  However,  algorithms  G2  and  G2,  which  performed  as 
well  or  better  than  algorithms  G1  and  Gl,  appear  more  intuitively 
appealing  since  they  add  countermeasures  to  the  countermeasure  sec 
so  that  the  increase  in  computer  security  per  dollar  is  maximized. 

As  mentioned  earlier,  we  recommend  running  al 1 four  algorithms 
for  the  simplified  model  (one-to-one  correspondence  between  threats 
and  objectives)  and  algorithms  Gl  and  G2  for  the  generalized  model 
(many-to-one  correspondence  between  threats  and  objectives). 
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6.  Illustrative  Example  - Question  3 


We  have  no  illustrative  example  for  Question  3.  No  effort  has  been 
made  in  this  paper  to  develop  a standard  set  of  threats  and  countermeasures. 
If  a standard  set  of  threats  and  countermeasures  were  available  for  all 
systems  being  considered,  we  would  calculate  the  computer  security  index 
for  each  system  and  choose  the  one  with  the  highest  index  for  the  given 
budget  constraint.  However,  trade-offs  between  security  and  cost  might 
still  be  considered.  For  example,  one  system  may  have  nearly  as  high 
security  index  as  another  but  at  a much  lower  cost  so  that  we  still  night 
choose  the  system  with  the  lower  index. 

If  it  is  not  already  obvious,  we  might  point  out  that  if  a particular 
threat  is  not  applicable  to  a specific  system,  it  may  be  entered  but  negated 
by  assigning  it  a zero  weight;  and  a '’built-in”  countermeasure  may  be 
handled  by  assigning  it  zero  cost. 


Ul 
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7.  Illustrative  Example  - Question  4. 

For  our  example,  let  us  use  the  simplified  model  example  of  Section 
5.2,  i.e.,  the  case  where  is  a one  to  one  correspondence  between  threats 
and  countermeasures  (using  Tables  3,  2,  and  5 as  our  input). 

Let  us  arbritarily  assume  that  one  package  contains  the  first  ten 
countermeasures  and  the  other  package  contains  the  last  nine  countermeasures. 

A sample  input  file  for  the  last  nine  counteremeasure  set  is  in 
Appendix  III  - Table  III-3,  where  our  first  entry  is  "CSI  ONLY"  indicating 
we  want  only  the  computer  security  index  calculated.*  (All  input  entries 
are  described  in  the  file.) 

The  result  of  running  the  program  (once  for  each  countermeasure  set) 
is  that  the  first  ten  countermeasure  set  has  an  index  of  .537  at  a cost  of 
$61. 6K  and  the  Last  nine  countermeasure  set  has  an  index  of  .443  at  a cost 
of  $44K.  If  one  were  deciding  between  these  two  countermeasure  sets,  one 
would  have  to  be  determine  if  the  additional  index  (.537  as  opposed  to  .443) 
is  worth  the  additional  cost  ($61.6K  as  opposed  to  $44K) . 


•NOTE:  If  the  input  file  were  already  set  up  for  all  19  countermeasures  and 
the  index  for  the  first  10  countermeasures  were  desired,  it  may  be  more 
convenient  to  use  the  "PRESET"  option  (to  be  discussed  in  the  next  section) 
(rather  than  the  "CSI  only"  option)  and  input  the  sequence  so  that  the  first 
10  counteremasures  appeared  in  the  beginning  the  sequence.  The  desired 
index  would  then  appear  at  iteration  10  of  the  output. 
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3.  Illustrative  Example  - Question  3. 

For  our  example,  let  us  use  the  generalized  model  example  of  Section  5.1 
where  we  use  Tables  1,  2,  and  3 as  our  inputs.  Let  us  assume  we  are 
interested  in  plotting  the  computer  security  index  versus  cost  for  the 
following  (arbitrarily  selected)  sequence  of  countermeasures:  4,  17,  3,  S,  19, 
6,  11,  2,  1,  15,  14,  18,  16,  12,  13,  7,  3,  10,  9.  A sample  input  file  is 
in  Appendix  III,  Table  III-4,  where  our  first  input  entry  i3  PRESET  and 
where  we  subsequently  enter  the  above  sequence.  (All  input  entries  are 
described  in  the  file.)  The  output  is  similar  in  nature  to  the  output  file 
shown  in  Appendix  II,  Table  II  - 2,  except  that  the  sequence  outputted 
would  be  the  sequence  above.  Actual  results  of  the  output  is  contained  in 
Table  7.  If  we  wanted  to  compare  this  sequence  with  another  sequence,  we 
would  run  the  program  again  with  the  new  sequence  substituted  for  the  above 
sequence.  The  results  could  then  be  compared  and  jin  appropriate  decision 
made  as  to  which  sequence  to  implement. 
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TABLE  7 


PRE-SELECTED  SEQUENCE 
(Generalized  Model  Example) 


Iteration 


Index 


1 

CM  No. 

Ui 

El 

1 

4 

.0 

20.0 

2 

17 

.0 

35.0 

3 

8 

.0 

50.0 

4 

5 

.0 

58.0 

5 

19 

.083 

64.0 

6 

6 

.083 

70.0 

7 

11 

.083 

75.0 

S 

2 

.223 

80.0 

9 

1 

.254 

85.0 

10 

15 

.254 

89.0 

11 

14 

.351 

93.0 

12 

18 

.351 

96.0 

13 

16 

.351 

99.0 

14 

12 

.386 

102.0 

15 

13 

.404 

103.0 

16 

7 

.417 

104.0 

17 

3 

.420 

105.0 

18 

10 

.478 

105.3 

19 

9 

.504 

105.6 
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APPENDIX  I 


This  appendix  contains  a listing  of  the  computer  program  and 
definitions  of  the  variables  used  in  the  program. 

When  running  the  program  one  should  insure  that  the  variables 
are  properly  dimensioned  for  the  problem  being  considered.  To  do  this, 
refer  to  the  REAL  and  INTEGER  dimension  statements  of  the  Program  Listing 
which  has  the  following  correspondence  between  dimension  numbers  and  the 
quantities  they  represent: 

20  - Number  of  threats 
19  - Number  of  countermeasures 
8 - Maximum  number  of  threats  listed  for  any  objective. 


PROGRAM  LISTING 


PROGRAM  CSI 

REAL  ABS'wT  (BO)  , SOM-w  T ♦ w£  IGhT  ( 20 ) . INDEX  ( 19)  * 

1 MATRIX (20*6*  19)  * IND£XP*F (20)  *TFMP. TEMPI* 

2 F ACTOR (20  * 8)  . THR (20  *6) ♦ FaCTV ( 2C  * 8 ) * 

3 ThR V ( 20  ) ♦COST (19)  * COS TP * TNDEXP)  *FACT(19) * 

A FEMP2 

INTEGER  N * T * FL AG  1 *CM ( 19 ) *M ( 20 ) * OELETE  * MK  * 

1 ITERtALG»0PTl,S£Q(19) ,FLAG2 

REAP  (5*249) 

249  FORMAT  (///////////////) 

READ  ( 5 1 230 ) ALG 

230  FORMAT  (R5) 

IF ( (ALG.EQ.5RG1  ) .OR.  ( ALG . Eo . 5RG2  )) 

1 OPTlsl 

IF< (ALG.EQ.5RG1SAR)  .OR.  < ALG ,£Q . 5RG2SAR ) ) 

1 0PT1=2 

IF ( ALG . £Q . GRPRESE ) 0PT1=3 

IF ( ALG.EQ.5RCSI  0)  0PT1=<* 

READ  (5*200)  T * N 

200  FORMAT  (1015) 

REAP ( 5 * 240  ) 

240  FORMAT!////) 

IFCOPT1.EQ.3)  REAP (5*241 ) (SEQ ( I ) * 1 = 1 *N) 

241  FORMAT (1015) 

WR I TE ( 6 *90  1 ) T 

901  FORMAT (22nNUMQER  OF  OBJECTIVES  = *I3) 

WRITE ( b*903) 

903  FORMAT (32HNUMBER  OF  THREATS  PER  OBJECTIVE!) 

REAP  ( 5 * 20  Q ) (M(K)*K  = 1*T) 

WRITE  (6*902)  (M(K)*K=l*T) 

902  F ORmaT ( 7 1 7 * 1 X ) 

READ  (5*203)  (ABSwT(K),  K=1*T) 

203  FORMAT  (10F5.0) 

WRITE  (6**05) 

905  FORMAT (28HRELATIVE  WEIGHTS  OF  THREATS i ) 

WRITE  (6**04)  (ABSwT(K)*  K=1*T) 

904  FORMAT ( 7F7.2*  IX) 

SUMWT  = 0.0 

DO  501  Ksl.T  

501  SUMWT  = SUMwT  *•  ABSWT(K) 

PO  502  K=1,T 

502  WEIGHT (K)  = A0SWT ( K ) /SUMWT 
wP ITE ( 6 « 9 1 0 ) 

910  FORMAT ( 30HNO^MALl ZED  WEIGhTS  OF  THREATS:) 

WRITE  (6*800)  (WEIGHT(K)*  K=1*T) 
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PROGRAM  LISTING  (PAGE  2) 


800  FORMAT  ( F 1 0 « 5 ) 

WRITE  (6,906)  N 

906  FORMAT (27HNUM8ER  OF  COUNTERMEASURES  = ,I3) 
WRITE(6»907) 

907  FORMAT (24HCOST  OF  COUNTERMEASURES:) 

REAO  (5*202)  (COST ( J) ♦ Jsl.N) 

202  FORMAT  (5F10.0) 

WRI  TE  (6*908)  (COST  ( J)  » J=I  »N). 

908  FORMAT (SFiO.O) 

COSTP  a 0.0 

00  590  J= 1 , N 

COSTP  a COSTP  * COST ( J) 

590  CONTINUE 

WRITE(o*9I2) 

912  FORMATt 

1<*OHCOUNTERM£ASURE  EFFECTIVENESS  MATRIX:  > 

00  504  K=1,T 

MK  a m(K) 

DO  5041  I a 1 » MK 

REAO  (5*201)  (MATRIX (K*I*J) * J=1»N) 

201  FORMAT  (10F5.1) 

WRITE  (6,911)  (MATRIX  (K*  I ,J)  * J=1,N) 

911  FORMAT (5F1Q .2) 

WR I T£ ( 6 * 921 ) 

921  FORMAT(Z) 

5041  CONTINUE 
504  CONTINUE. 

00  701  Kal,T 

MK  a * m ( K ) 

00  701  1=1, MK 

00  7011  J= 1 , N 

7011  MATRIX  (K , I , J)  a i#0  - MATRIX (K , I ,J) 

701  CONTINUE 

INOEXP  = 0.0 

00  505  K= 1 , T 

F (K ) a 1.0 
MK  = M ( K ) 

00  5051  I=1»MK 

TEMP  = l.Q 

00  5052  J=  1 *N 

5052  TEMP  a TEMP*MATR I X ( K , I , J ) 

FACTOR(K,I)  a TEMP 
TEMP  = 1.0  - TEMP 

IWk.I)  = TtMp 

F ( K ) a TEMP  * F (K) 

5051  CONtlNLl! 


50 
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IMQEXP  a *oF  I GHT  ( K ) »F  ( K ) ♦ INQEXP 

5u5  CONTINUE 


I'JOEXPl  = lNOEXP 

WRITE  (6,915)  INOEXP 

915  FORMAT( 

140HCOMPUTER  SECURITY  INDEX  FOR  FULL  / 

238HC0UNTFRMEASURE  SET  £N T cR£D  19  EQUAL  TO, 

3 F10.S) 

WR ITE ( b , 9 1 6 ) COSTP 

91b  FORMAT( 

14JHTHE  COST  FOR  THE  FULL  COUNTERMEASURE  SET/ 
21VHENTERED  IS  EQUAL  TO.  FiO.O) 

wR I TF ( 6 > 925 ) 

925  FORMAT (///) 

IF (OPT1 .EQ.4)  GO  TO  99 

WRITE (6,926) 

926  FORMAT  ( 

Wft ITE (6«925) 

IF (OPT1 .EQ.3)  WRl TE (6 .927  1 ) 

9271  FORMAT ( 

140HTHE  SEQUENCE  OF  COUNTERMEASURES  SELECTED/ 
24 JH8EL0W  HAS  BEEN  PRESELECTED  BY  Th£  PERSON/ 
340HCURRENTLY  RUNNING  THE  PROGRAM  ANO  OOES  / 
44y;HNQT  NECESSARILY  REFLECT  THE  OUTCOME  OF  / 
3A.OHTHE  ALGORITHMS  G 1 ♦ G2  ,G  l BAR  .OR  G2BAH  T 

IF  (QPT1 .NE.3)  wR I TE ( 6 , 92 7 ) ALG 

927  FORMAT ( 16HSTART  ALGORITHM  ,R5) 

WRITE(6,925) 

910  FORMAT  (5F10.5) 

IF ( QPT1  .EQ.  2)  CALL  ERASER  (CM.N.l) 

IF ( OPT  1 .NE.  2)  CALL  ERASER  < FACTOR » 20 0 , 1 . 0 ) 

ITER  = Q 

IF (OPT1  .NE.  2)  INOEXP  = 0.0 

IF ( OPT  1 .N£ . 2)  TEMP2=0 . 0 

IF (OPT1  .NE.  2)  COSTP  = 0.0 

560  CONTINUE 

HER  a ITER  * 1 

IF ( ITER  ,EQ.  N»l)  GO  TO  561 

IF (OPT1 .NE.2)  TEMP1=0.0 

IF (OPT1  .EQ.2)  FLAG2=1 

IF (OPT  1 .EQ. 3)  GO  TO  577 

WHITE  (6,917)  ITER 

917  FORMAT ( 


HuHBELQw , 
JJbHADOED  ( 


IF  COUNTERMEASUOE  X 
DROPPED)  AT  ITERATION 


WERE 
♦ 1 3 , 1 H , 


/_ 

/ 
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3A.QHTHEN  THE  VALUE  OP  THE  FACTOR  TQ  BE / 

440MMAXIMIZED  (MINIMIZED)  IS  f ANO  THE  NE#  / 

54QHINOEX,  if  X v^EPE  ADDED  (DROPPED) / 

640H#OULD  BE  Z ) 

WRIT£(6»919) 

919  FORMAT  (2X»  1HX»6X,  1HY»  10X,  lriZ) 

577  CONTINUE 

00  530  J® 1 » N 


IF (0PT1 .EQ.3  .ANO.  j.NE.SEQ ( ITER) ) GO  TO  530 
INDEX ( J)  = 0.0 

IF  (CM(J).EQ.O  .AND.  QPTj.EQ.2)  GO  TO  530 

IF  (CM(J).EQ.l  .ANO.  0PT1.NE.2)  GO  TO  530 

DO  5302  KaI,T 

MK  = M ( K ) 

DO  5302  I ~ 1 ♦ MK 

IF(MATRIX(K*I»J) .EQ.1.0  .ANO.  0PT1.EQ.2) 

1 | GO  TO  601 

IF (OPT1 .EQ.2) 

1 FACTV ( K » I ) = 1.0  - FACTOR (K. I ) /MATRIX (K. I ,J) 
IF(0PT1.NE.2) 

1 F ACTV (K  « I ) = 1.0  - c ACTOR (Kt I) »MATR I X ( K 1 1 » J ) 

GO  TO  5302 

601  F ACTV (K  » I ) = 1.0  - FACTOR(K«I) 

5302  CONTINUE 

00  » 00  K=1 i T 

MK  = M(K) 

400  CONTINUE 

DO  5303  K=1*T 

THRV(K)  = 1.0 

MKsM(K) 

00  5303  I=1»MK 

5303  THRV(K)  = TriRV(K)  * F ACT  V (K ♦ I ) 

DO  5304  K= 1 . T 

5304  INDEX  ( J)  = WEIGHT(K)*THRV(K)  ♦ INDEX(J) 

IF (OPT1 .EQ.3  .AND.  j.EQ.SEQ ( ITER) ) GO  TO  573 
IF  ( ( INDEX (J) .LE.G.00000001) . AND . ( OPT  1 .EQ . 2) ) 

1 GO  TO  760 

IF(ALG  .EQ.  5RG1  ) 

1 FACT  ( J)  =INQ£X  (J)/(COSTP*COST(J)  ) 

IF(ALG  .EQ.  5RG2  ) 

1 FACT  ( J)  = ( INDPX  ( J)  -INCSXP)  /COST  ( J) 

IF ( ALG  .EQ.  5RG1BAR) 

1 FACT(J)  = (COSTP-COST(J)  ) /INDEX  (J) 

IF(ALG  .EQ.  5RG2BAR) 

i fact  ( j)  = ( indfxp-inoex  ( j) ) /cost  c j) 

760  CONTINUE  * 
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GO  TO  530 
5292  CONTINUE 


IF (OPT1 .NE.3) 

1 *RITS  (6.825)  J.FA 


625  FORMAT  ( I3.E10.1.F10.5) 

IF (FLAG2.EQ. 1 .AND.  0PT1.FQ.2) 

IF (FACT ( J) .GE. TEMPI  .ANO.  OPTI 


J.FACT ( J) ♦ INOEX (J) 


IF (FACT (J)  .LE. TEMPI  .ANO. 


Q.2)  r,0  TO  50  03 


OPTI. FQ. 2) 
GO  TO  530 


OPT1.EQ.1) 


5003  CONTINUE 

FLAG2  = Q 

DELETE  = J 

TEMPI  = FACT ( J ) 


[3aU»=H»] 


530  CONTINUE 
573  CONTINUE 

IF (OPTI. EQ. 2)  CM (DELETE)  = 0 

I F ( OPTI . EQ . 3 ) D£LETE=S£Q ( f TER) 

IF (OPTI .NE. 2)  CM (DELETE)  = 1 

INQEXP  = INDEX (DELETE) 

IF (( INDEXP.LE. 0.00000001)  .AND.  (0PT1.EQ.2J) 

1 GO  Tp  561 

IFUTEMP3  .EQ. DELETE)  FLAf,l  = l 

IF(TEMP2.EQ.INOEXP  .ANQ.  QPTl.Eo.l) 

1 PLAG1S1 

IF(FLAG1  .EQ.  1)  WRITE (6.A216) 

8216  F0RMAT(//// 

140HATTENTIQN  STOP /_ 

290HADD I T I On  OF  ANY  COUNTEPMEASUPE  DOES  NOT  / 

OAohINCREASE  INOEX. /_ 

A^uHYOU  SHOULD  8E  USING  ALGORITHM  G1BAR  OR  / 

540 H ALGOR  I THM  G2SAR )_ 

IF (FLAG1  .EQ.  1)  GO  TO  99 

TEMP2=IN0£XP 

ITEMP3=OELETE 

IF (OPTI. EQ. 2)  COSTP=COSTP-COST (DELETE) 

IF (0PT1.NE.2)  COSTP=COSrP*COST (DELETE) 
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DO  580  K = 1,T 

MK  = M(K) 

DO  580  1=1, MK 

IF (OPT1  .EQ.  2) 

1FACTOR (K  , I ) = FACTOP(K,I)/MATRTX(K.I,DFLFTF) 

IF ( OPT  1 .NE.  2) 

ifactor (k  , i > = factop (k  » i ) *matr ix (k  » i * delete ) 

580 

continue 

WRITE  (6,8211)  ITER 

8211 

FORMAT  (9H I TER AT  ION .13) 

IF  (OPT1.EQ.2)  WRIT?  (6,8212) 

DELETE 

8212 

FORMAT  (6H0ELETE,  I 3 ) 

IF  (OPn.NE.2)  W'RTTF  (6,8214) 

DELETE 

8214 

FORMAT  (3HAOO, 13) 

WRITE  (6,8213)  (CM(j),  J=1,N) 

8213 

FORMAT  (6HCM  SET,  2012) 

WRITE  (6,900)  INOEXP ,CQSTP 

909 

FORMAT  (5HINOEX,F10.5,5X,4HCOST,F10.0///) 

IF  < INOEXP .EQ, iNOEXPl  .ANO.  0PT1.NE.2) 

1 

GO  TO  561 

GO  TO  560 

561 

CONTINUE 

IF(0PT1.NE,2)  GO  TO  99 

WP 1 TE ( 6 , 921 ) 
wRITE  (6,2000) 

2000 

FORMAT  ( 

140HINDEX  WILL  DROP  TO  ZERO 

/ 

240HWITH  FURTHER  DELETIONS. 

> 

99 

continue 

WR I TE ( 6,925 ) 

STOP 

END 


% END 


DEFINITION  OF  VARIABLES 
USED  IN  COMPUTER  PRC  ' AM 


Text  Symbol 
(If  applicable) 

Program 

(See  Section  3) 

Variable 

Definition 

wk 

ABSWT(k) 

Relative  weight  of  objective  k 

• 

ALG 

Designates  options  for  running 
programs  (also  see  0PT1) 

CM(j) 

Indicates  whether  countermeasure 
j is  in  countermeasure  sec 

COST(j) 

Cost  of  >.  nr  .irmeasure  j 

- 

COST? 

Sum  of  costs  of  countermeasure 

sets 

- 

DELETE 

Countermeasure  n uoer  added  or 
deleted 

Cfc. . 

F(k) 

Probability  that  all  threats 
against  objective  k are  blocked 
(for  full  countermeasure  sec 
entered) 

FACT ( j ) 

Quantity  to  be  maximized  (or 
minimized)  during  operation  of 
algorithms 

Ckl  ‘ 

FACTOR (k,i) 

Probability  that  the  ic^  threat 
of  objective  k is  not  blocked 

Ckl- 

FACTV(k.i) 

Probability  that  the  ic^  threat 
against  objective  k is  blocked 

FLAG1 

Dummy  variable  which  sets  to 
one  if  index  does  not  increase 
as  countermeasures  are  added 
under  algorithms  G1  and  G2 

- 

FLAG2 

Dummy  variable  which  is  used 

in  operation  of  algorithms 

G1  and  G2 

o|  ar{)- 

INDEX (j ) 

Computer  security  index  if  jcl1 
countermeasure  is  added  (or 
dropped) 

- 

INDEX? 

Computer  security  index 

r 


■ «T 


« 


i 


Text  Symbol 

(if  applicable)  Program 

(See  Section  3)  Variable  Definition 


- 

ITEMP3 

Temporary  storage  location  for 

DELETE 

- 

ITER 

Iteration  number  in  executing 
algorithms 

Ik 

M(k) 

Number  of  threats  for  objective  k 

Ckij 

MATRIX  (k,i,j) 

Probability  that  I*-*1  counter- 
measure blocks  i“  threat  of 
objective  k (later  changed  to 
(1-probability) 

Ik 

MK 

Same  as  M(k) 

n 

N 

Number  of  countermeasures 

0PT1 

Designates  options  for  running 
programs 

1.  Algorithms  G1  or  G2  imple- 
mented 

2.  Algorithms  GT  or  ET  imple- 
mented 

3.  Computer  security  index 
calculated  for  pre-selected 
sequence  of  countermeasures 

4.  Computer  security  index 
calculated- algorithms  are 
not  run 

- 

SEQ(j) 

Sequence  of  countermeasures  to 

Via  airamlnffd  if  user  submits  own 

sequence 

K.  * 

£W--' 

e-i 

SDMWT 

Summation  of  ABSWT(k) 

K 

T 

Number  of  objectives 

- 

TEMPI 

Temporary  storage  location 
for  FACT(j) 

- 

TEMP  2 

Temporary  storage  location  for 
computer  security  index 

Cki  • 

THR(k,i) 

Probability  that  the  ic^  threat 
against  objective  k is  blocked  (for 
full  countermeasure  set  entered) 

Ck*  • 

THRV(k) 

Probability  that  all  threats 
against  objective  k are  blocked 

Vk 

WEIGHT  (k) 

Normalized  weight  of  objective  k 
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APPENDIX  II 


This  appendix  contains  a sample  Input  file  and  a sample  output  file 


of  the  computer  program.  The  two  sample  files  chosen  are  for  the  toy 


problem  of  Section  4. 


TABLE  II-l 
SAMPLE  INPUT  FILE 
(TOY  PROBLEM) 


OATA  SET  FOR  PROGRAM  CSI 

ENTER  HERE: 

PARAMETERS  REPRESENTING 

FORMAT 

TtN  “ 

NO.  OF  OBJECTIVES 

215 

M(K) 

NO.  OF  COUNTERMEASURES 

NO.  OF  THREATS  PER 

(1015) 

ABSWT(K) 

OBJECTIVE  K 

REL.  wT.  OF  OBJECT.  K 

(1015) 

COST ( J) 

COST  OF  COUNTERMEASURE  J 

(5110) 

MATRIX (K, I t 

J)  COUNTERMEASURE  MATRIX 

(10F5.1) 

BEFORE  ENTERING  ANY  OF  ThE  PARAMETERS  ABOVEt  ENTER 
ON  THE  NEXT' LINE  T.H£  ALGORITHM  qESIREq  (E.G.  Git 
G2tG18AR,G28AR) . IF  YOU  ARE  USlr*G  A PRE-SELECTED 
SEQUENCEt  ENTER  *PRES£T*  ON  THE  NEXT  LINE.  IF  YOU 
WANT  ONLY  THE  COMPUTER  SECURITY  INDEX 
CALCULATEDt  ENTER  *CSI  ONLY*  ON  THE  NEXT  LINE 
G23AR 

3 5 

(IF  YOU  ARE  USING  A PRE-SELECTED  SEQUENCE  OF 
COUNTERMEASURES t I.£.  YOU  HAVE  ENTERED  PRESET 
ABOVEt  THEN  ENTER  THAT  SEQUENCE  ON  THE  NEXT  LINE 
IN  FORMAT  (1015).  OTHERWISE t CONTINUE  ENTERING 
PARAMETERS  AS  DIRECTED  ABOVE.) 

2 1 2 

3 5 7 

10 

.0  .0  .0 

.0  .9  .0 

.0  .0  .5 

.8  .0  .0 

.0  .7  .0 


*£OF* 
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TABLE  11*2 
SAMPLE  OUTPUT  FILE 
(TOY  PROBLEM) 


NUMBER  OF  OBJECTIVES  * 3 

NUMBER  OF  THREATS  PER  OBJECTIVE: 
2 1 2 
RELATIVE  WEIGHTS  OF  THREATS: 

3.00  5.00  7.00 

NORMALIZED  WETGHTS  OF  THREATS: 


.20000 

.33333 

.4*667 

NUMBER  OF  COUNTERMEASURES 
COST  OF  COUNTERMEASURES: 

10  10 

= 5 

5 3 

1 

countermeasure 
- 0.00 

EFFECTIVENESS  MATRIX: 

0.00  0.00  .60 

.90 

0.00 

.90 

0.00  .60 

0.00 

o 

• 

o 

o 

0.00 

.50  0.00 

0.00 

• so 

0.00 

0.00  0.00 

0.00 

0.00 

.70 

0.00  0.00 

0.00 

COMPUTER  SECURITY  inoex  FOR  FULL 
COUNTERMEASURE  SET  ENTERED  IS  EOUAL  To  .61232 
THE  COST  FOR  THE  FULL  COUNTERMEASURE  SET 
ENTERED  IS  EUUAL  TO  29 


START' ALGORITHM  G20AR 
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TABLE  I 1-2  (CONTINUED) 


BELOW,  IF  COUNTERMEASURE  X WERE 
AOOED (DROPPED)  AT  ITERATION  1, 

then  the  value  of  the  factor  to  be 

MAXIMIZED  (MINIMIZED)  IS  Y AND  THE  NEW 
INOEX,  IF  X WERE  AOOED  (DROPPED) 

WOULD  8E  L 

XT  Z 

1 2.6E-02  .35099 

2 3.3E-02  ..28187 

3 3.3E-02  .4*565 

4 7.4E-03  .59000 

5 6.9E-02  .54320 

ITERATION  1 

DELETE  4 
CM  SET  11101 

INOEX  .59000  COST  26 


8EL0W  * IF  COUNTERMEASURE  X WERE 
AOOED (DROPPED)  AT  ITERATION  2. 

then  the  value  of  the  factor  to  be 

MAXIMIZED  (MINIMIZED)  IS  Y AND  THE  NEW 
INOEX*  IF  X WERE  AOOED  (DROPPED) 

WOULO  BE  Z 

X Y Z 

1 2.6E-02  .32867 

2 4.2E-02  .16667 

3 3.3E-02  .42333 

5 1.6E-01  .42800 

ITERATION  2 
DELETE  1 
CM  SET  01101 

INOEX  .32867  COST  16 


BELOW,  IF  COUNTERMEASURE  X WERE 
AOOED (OROPPED)  AT  ITERATION  3, 

THEN  THE  VALUE  OF  THE  FACTOR  TO  8E 
MAXIMIZED  (MINIMIZED)  IS  Y AND  THE  NEW 
INOEX,  IF  X WERE  AOOED  (DROPPED) 

WOULD  BE  Z 

X Y Z 

2 1.6E-02  .16667 

3 3.3E-02  .16200 

5 1.6E-01  .16667 

ITERATION  3 
OELETE  2 
CM  SET  00101 

INOEX  i 16667  COST  6 
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TABLE  I 1-2  (CONTINUED) 


BELOw*  IF  COUNTERMEASURE  X WERE 
ADOED (DROPPED)  AT  ITERATION  4, 

THEN  THE  VALUE  OF  ThE  FACTOR  TO  BE 
MAXIMIZED  (MINIMIZED)  IS  r AND  THE  NEW 
INOEX,  IF  X WERE  ADOED  (DROPPED) 

WOULD  BE  Z 

"X  Y " Z 

3 3.3E-02  0.00000 

S B.9E-16  .1666? 

ITERATION  4 

DELETE"  S 

CM  SET  u 0 1 0 0 

INDEX  ~ .16667  ' COST  S 


BELOW*  IF  COUNTERMEASURE  X WERE 
AOOED (OROPPED)  AT  ITERATION  5* 

THEN  THE  VALUE  OF  THE  FACTOR  TO  BE 
MAXIMIZED  (MINIMIZED)  IS  Y AND  THE  N£w 

-tnoext  rr  x were  added  (droppeo) 

WOULD  BE  Z 

X 'T Z 

3 3.3E-02  0.00000 


INOEX  WILL  DROP  TO  ZERO 
WITH  FURTHER  DELETIONS. 


•EOF*  ; 
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APPENDIX  III 

This  appendix  contains  sample  Input  files  for  examples  considered 
in  other  sections  of  the  text. 

Sample  Output  File 

Table  III-l 
Table  III-2 
Table  III- 3 
Table  III-4 


! 
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Relevant  Section 

5.1 

5.2 

7 

8 


TaQLE  III-1 

sample  input  file 

“■(GENERALIZED  MODEL  EXAMPLE) 


DATA  SET  FOR  PROGRAM  CSI 

ENTER"  HERE-: 

PARAMETERS  REPRESENTING 

FORMAT 

T.N ' 

NO-.  OF  OBJECTIVES 

215 

MOO 

NO.  OF  COUNTERMEASUPES 

NO.  OF  THREATS  PER 

(1015) 

ABSWriK) 

OBJECTIVE  « 

REL.  WT . OF  OBJECT.  K 

C 1015) 

COST ( J ) 

COST  OF  COUNTERMEASURE  J 

(5110) 

MATR IX  (K  ♦ r * 

J)  COUNTERMEASURE  MATRIX 

(10F5.1) 

BEFORE  ENTERING  ANY  OF  Trie  PARAMETERS  ABOVE*  ENTER 
ON  THE"  NEXT  LINE  The  ALGORITHM  DESIREo  (E.G.  Gl* 
G2*G18AR,G2BAR> . IF  YOU  ARE  USING  A PRE-SELECTEO 
SEQUENCE  * ENTER  *PRES£T*  ON  THE  NEXT  LINE.  IF  YOU 
WANT  ONLY  THE  COMPUTER  SECURITY  INOEX 
CALCULATED*  ENTER  *CSI  ONLY*  ON  THE  N£XT  LINE 
G29AR 

4 19 

(IF  YOU  ARE  USING  A PRE-SELECTEn  SEQUENCE  OF 
COUNTERMEASURES.  I.E.  YOU  HAVE  entereo  preset 
ABOVE*  Then  ENTER  That  sequence  ON  the  next  line 
IN  FORMAT  (1015).  OTHERWISE*  CONTINUE  ENTERING 


parameters 

AS  OIRECTED 

ABOVE.) 

4 

3 

6 

2 

3 

7 

5 

3 

5000 

5000 

1000 

20000 

3000 

6000 

1000 

15000 

300 

300 

~ 

5000 

“ 

3000 

1000 

4000 

4000 

3uQ0 

15000 

3000 

6000 

- .0 

.0 

.0 

' .0 

.0 

'.0 

.3 

.0 

.0 

.0 

.3 

.7 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.3 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.3 

.0 

.0 

■ .3 

*"  .3 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.3 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

• 6 

.0 

• 6 

.0 

.0 

.0 

REMAINDER  OF  COUNTERMEASURE  EFFECTIVENESS  DATA 
' HAS  BEEN  OMITTED 
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1 


F0PM4T 
215 

(1015) 

(1015) 

(5110) 
(10F5.1) 

BEFORE  ENTERING  ANY  OF  THE  PARAMETERS  ABOVE * ENTER 
ON  THE  NEXT  LINE  THE  ALGORITHM  DESIRED  (E.G.  Gl* 

G2 *G18AR *G2SAR ) . IF  YOU  ARE  USING  A PRE-SELECTED 
' SEQUENCE ♦ ENTER  *PR£SET»  ON  THE  NEXT-  LINE.  IF  YOU 
WANT  ONLY  THE  COMPUTER  SECURITY  INDEX 
'CALCULATED*  ENTER  *CSI  ONLY*  ON  THE  N£XT  LINE 
G23AR 

" " '20  "19 

(IF  YOU  ARE  USING  A PRE-SELECTEn  SEQUENCE  OF 
COUNTERMEASURES*  I.E.  YOU  HAVE  ENTERED  PRESET 
ABOVE*  Then  ENTER  THAT  SEQUENCE  ON  THE  NEXT  LINE 
IN ‘FORMAT  (1015).  OTHERWISE*  CONTINUE  ENTERING 


parameters 

AS  DIRECTED 

ABOVE.) 

'I  1 

1 1 

1 

1 

1 

1 

1 

1 

1 1 

1 1 

1 

1 

1 

1 

1 

1 

■ a a 

'3  3 

7 

7 

7 

7 

7 

7 

7 7 

5 5 

5 

5 

5 

5 

3 

3 

5000 

5000 

1000 

20000 

3000 

6000 

1000 

15000 

300 

300 

500  0 

3000 

1000 

4000 

4000 

3000 

15000 

3000 

6000 

VO  '•  0 

" '.0  .0 

.0 

‘.0 

.3 

.0 

.0 

.0 

.8  .7 

.0  .6 

.0 

.0 

.0 

.0 

.0 

" .U~  .0 

'.O'  .0 

.0 

.0 

.0 

.3 

.0 

.0 

.0  .0 

.0  .0 

.0 

.0 

.0 

.0 

.0 

■ . 0 ~ . O 

.0  .0 

.0 

.0 

.0 

.0 

.0 

.0 

.0  .0 

• 0 .0 

.0 

.0 

.8 

.0 

.0 

.8*  “ .8 

■"  .0  .0 

.0 

.0 

.0 

.0 

.0 

.0 

.0  .0 

.0  .0 

.0 

.0 

.0 

.0 

.0 

'*  . .8“  TO 

'*  .0  '"  .0 

.0 

.0 

.0 

.0 

.0 

.0 

.0  .0 

.0  .0 

.0 

.0 

.0 

.0 

.0 

REMAINDER  OF  COUNTERMEASURE  EFFECTIVENESS  OATA 

HAS  g£EN  0MrTT£D 


table  111-2 
SAMPLE  input  file 
(SIMPLIFIED  MOOEL  EXAMPLE) 


DATA  SET  FOR  PROGRAM  CSI 
ENTER' HERE: 

PARAMETERS  REPRESENTING 

T*N  ""  NO.  OF  OBJECTIVES 

NO.  OF  COUNTERMEASUPES 
M ( K ) " " NO.  OF  THREATS  PER 

objective  k 

ABSWT'fK)  REL'.  WT.  OF  OBJECT.  K 

COST ( J ) COST  OF  COUNTERMEASURE  J 

MATRIX (K , I ,J)  COUNTERMEASURE  MATRIX 


table  iii-j 
sample  input  file 

(SIMPLIFIED  MODEL  EXAMPLE) 


DATA  SET  FOR  PROGRAM  CSI 
ENTER""HERE: 

parameters  REPRESENTING  format 

T»n  '•  NO.  OF  OBJECTIVES  2 IS 

NO.  OF  COUNTERMEASURES 

M (K)  NO.  OF  THREATS  PER  (1015) 

OBJECTIVE  K 

ABSWT(K)  --  REL.  WT.  OF  OBJECT.  K (1015) 

COST ( J)  COST  OF  COUNTERMEASURE  J (5110) 

MATRIX (K»I ,J)  COUNTERMEASURE  MATRIX  (10F5.1) 


BEFORE  ENTERING  ANY  OF  THE  PARAMETERS  A80VE*  ENTER 
ON  THE  NEXT  LINE  TH£  ALGORITHM  OESIREO  (E.G.  Gl* 
G2*G13AR»G2BAR) . IF  YOU  ARE  USING  A PRE-SELECTED 
SEQUENCE » ENTER  *PR£SET*  ON  THE  NEXT  LINE.  IF  YOU 
'WANT  ONLY  THE  COMPUTER  SECURITY  INOEX 
CALCULATED » ENTER  *CSI  ONLY*  ON  THE  NEXT  LINE 
CSI  ONLY 
A 9 

(IF  YOU  ARE  USING  A PRE-SELECTED  SEQUENCE  OF 
COUNTERMEASURES*  I.E.  YOU  HAVE  ENTERED  PRESET 
ABOVE*  ThEN  ENTER  THAT  SEQUENCE  ON  THE  NEXT  LINE 
IN  FORMAT  (1015)  . OTHERWISE*  CONTINUE  ENTERING 
PARAMETERS  AS  DIRECTED  ABOVE.) 

r - l l i l l l l i i 

liiiiiiiii 
8888777777 
7755555533 
' 5000  3000  1000  M)00  L000 

3000  15000  3000  6000 

•8  .7  .0  .0  *0  .0  .0  .0  .0 

• 0 #0  .0  .0  .0  .0  .0  .*0  .0 

.0  .0  .0  .0  .0  .0  .8  .0  .0 

• 0 .0  .0  .0  .0  .0  .0  .0  .0 

.0  .0  .0  .0  *0  .0  .0  .0  .0 

.0  .0  .0  .0  *0  .0  .0  .0  .0 

• 0"  .0  .0  .0  *0  .0  .0  .0  .0 

.8  .7  .0  .0  .0  .0  .0  .0  .0 

.0  .0  .0  .0  *0  .0  .0  .0  .0 

.0  .0  .7  .8  *0  .0  .0  .0  .0 

REMAINOER  OF  COUNTERMEASURE  EFFECTIVENESS  DATA 
- - HAS  BEEN  OMITTED 
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TA0LE  III-4 
SAMPLE  INPUT  FILE 
(GENERALIZED  MODEL  EXAMPLE) 


DATA  SET  FOR  PROGRAM  CSI 

ENTER'HERE: 

parameters 

REPRESENTING 

FORMAT 

T » N “ 

NO.  OF  OBJECTIVES 

215 

M(K) 

NO.  OF  COUNTERMEASUPES 

NO.  OF  THREATS  PER 

(1015) 

ABSWT(K)  " 

OBJECTIVE  K 

REL.  W T.  OF  OBJECT.  K 

(1015) 

COST ( J ) 

COST  of  countermeasure  J 

(S 1 1 0 ) 

MATRIX  (K* T» 

J)  COUNTERMEASURE  MATRIX 

(10FS.1) 

BEFORE  ENTERING  ANY  OF  The  PARAMETERS  ABOVE*  ENTER 
ON  THE  NEXT  LINE  THE  ALGORITHM  DESIRED  <E.G.  Gl* 
G2*GIBAR*G2BAR) . IF  YOU  APE  USING  A PRE-SELECTED 
SEQUENCE*  ENTER  *PR£S£T*  ON  THE  NEXT  LINE.  IF  YOU 
WANT  ONLY  THE  COMPUTER  SECURITY  INOEX 
calculated*  ENTER  *CSI  only*  ON  THE  next  line 
PRESET 

4 " 19 

(IF  YOU  ARE  USING  A PRE-SELECTED  SEQUENCE  OF 
COUNTERMEASURES*  I.E.  YOU  HAVE  ENTERED  PRESET 

above*  then  enter  that  sequence  on  the  next  line 

IN  FORMAT  (1015) . OTHERWISE*  CONTINUE  ENTERING 


parameters 

AS  DIRECTED 

ABOVE.) 

4 

rr 

' 8 

5 

19 

6 

11 

2 

1 

IS 

14 

la 

16 

12 

13 

7 

3 

10 

9 

4 

8 

6 

2 

a 

7 

5 

3 

5"000 

' 5000 

1000 

20000 

aooo 

6000 

lOOO 

15000 

300 

300 

5000 

3000 

1000 

4000 

4000 

3000 

15Q00 

3000 

6000 

.0 

“.0 

.0 

■ ;o 

.0 

‘ .0 

.a 

.0 

.0 

.0 

.8 

.7 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.a 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

— .0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.a 

.0 

.0 

.8 

• a 

- .0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.6 

.0 

.0 

.0 

.0 

.0 

.a 

~ .0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

.0 

• 0 

REMAINOER  OF  COUNTERMEASURE  EFFECTIVENESS  DATA 
HAS  BEEN  OMITTED 


